Skip to main content

tv   Politics Public Policy Today  CSPAN  May 14, 2015 11:00am-1:01pm EDT

11:00 am
to applying them across the industry? >> you're speaking specifically about a law written for the financial services committee. >> i'm talking about the law -- i'm talking about my bill. >> right so you would be expanding under your legislation, expanding to the rest of the business community. what you're saying is we can stick within the current regulatory structure that has the federal trade commission regulators. >> we took principles from this but this isn't -- this is a uniform national standard. >> the time of the gentleman is expire expired. >> i would like to pauk about this issue because wrn it's a concern for many of the members and we worked hard to address
11:01 am
it. i said in the opening comments that the preemption should not have the unaintended consequence raised outside the bill. we would certainly be willing to make that plain. miss moy, you said -- i thought i heard you say that we shouldn't have -- 50 different standards is not the answer. is that what you said, or did i mishear your comments? >> so what i have said is i think the best for consumers would be to create a floor, not a ceiling so that states can continue -- >> so set a national standard and then allow states to protect additional categories of information. >> so my understanding is 13 states have data breach standards like this. and ours would be better than all of them except maybe one
11:02 am
which is massachusetts and i've been talking to my colleagues from massachusetts. would you agree with that? >> i -- well so i think that oregon has a pretty good standard and i also think there are elements of other state laws that you might not consider specific day sta security laws. >> a pretty high standard? >> it is a pretty high standard. yes. >> so that's the starting point for us. there's been discussion about the standard of energy and commerce. would you say that's a high standard, a higher standard than what our bill would propose? >> so that standard is a reasonableness standard that looks like what the federal trade commission is currently doing. so the difference here is not only what the language says in that bill, also i think we would be looking to the common law of the federal trade commission but it's also really important as we're thinking about how strong the security standard is, to think about who has the enforcement power and
11:03 am
who will be guiding the parties there. if the federal agencies are solely responsible for it, then even a very strong standard might not provide a strong protection, as a general reasonableness standard that allows state ags to work on a peace meal basis with entities trying to comply. >> so you think the standard in our bill is pretty good, pretty high standard in terms o f a federal standard, but you believe the states ought to have the flexibility to go beyond that? >> notwithstanding some of the issues that might create in terms of having different standards. how about this enforcement question? have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest that they be approved from your point of view? >> so i have looked at it. unfortunately i'm not prepared to provide a detailed response but i would be happy to in writing for you prefer that. i think the key issue with respect to enforcement, i think
11:04 am
your bill would only fall sill date enforcement by federal agencies. >> so what i heard you say is allowing the state ags some kind of role would be an improvement. again, not having looked at the details there. >> yes, i believe a very critical element here is we must have enforcement authority. >> so i explore the issues because in my opening statement, we are willing to try to improve the bill to get a greater consensus around -- we believe that as you said a national standard is important to have. 50 different standards is not the way to go. it's got to be the high bar, and one that's enforceable. would any other panelists like to comment on the conversation we've just had about preemption about the standard and the enforceability of that standard. >> if i could, congressman carney, i think the bill on a bipartisan basis, really takes on this issue in the right way.
11:05 am
and that is to recognize that the act of legislating to unify 47 disparate state regimes with a federal regime that is not preemptive would merely be adding a 48th regime and wouldn't serve the purposes that the legislation seeks to undertake, which is to protect consumers' financial information, and from eta's perspective, the bill takes a right approach to ensure the the federal regime is operative and not interfered with. >> and everybody agrees that we need a higher standard and one standard across the country? >> we fully agree there should be a national standard. we think the states deserve a tremendous amount of credit for acting in a place where the the federal government has not yet. that's why we believe as a broad concept, preemption should offer state preemption and state ags should have the ability to play a role in the enforcement of it.
11:06 am
>> thank you, mr. chairman. >> the time of the gentleman has expired. the chair recognizes the gentleman from new jersey mr. garret chairman of the national sub market committee. >> thank you chairman. thank you for holding this hearing. an issue that hits home for a lot of folks. let me start at the basics, if can. when there is a breach p, and someone does steal your card and go to a retailer and buy a tv and you find out and so on and so forth. who actually is responsible for that? does target have to pay the bill for that? does the bank that issued my mastercard or, if it's not that, is it the bank, or it is the visa or mastercard or discovery paying for that? >> congressman garret the answer is a little complicated but the oversimply fied version -- >> that's what i'm looking for.
11:07 am
>> the consumer is made whole. the issuing bank makes them whole. there's a secondary process managed and run by contract between the payment networks and various networks that gets resolve ed resolved through merchant ak kwiers, the issuer, which people take issue with how that all works from time to time, but that is how it gets sorted out after the fact. >> i would just add to that, yes. the merchant ultimately pays for fraud in the wake of a data breach, should it have occurred at a retailer. they also pay a variety of fees. if first one on every fee ever processed. the component is a prepayment of fraud, prepayment of a data breach, and then post breach there's a fee associated with reissuing the cards. >> and that's why the banks have
11:08 am
to pay the 15 bucks or whatever it is to send me a new card. >> the merchant repays the fees -- >> really i've heard different from that. >> i've included a statement in my written testimony. >> i got a card that have a little chip on it and also to be clear on this, putting this chip on the card may help to some degree as far as the lost card or the stolen card and the data breach as far as going to the retailer. but as someone else on the panel said, i know it was in the testimony, this chip does nothing with regard to when they steal the information and they use it online. is that correct? >> it's important to note the technology that's available today, europe introduced something called chip and pin technology more than a decade ago. >> right, and in europe my understanding is you saw an uptick of the data breaches, not
11:09 am
on at the store anymore or the retailer anymore, but now online. is that correct? >> that's true. it moved online and it moved to the united states. >> the united states will still have the weakest technology. >> and somebody said, and maybe down here you said we can't solve all of this stuff and doing the chip is not going to solve it entirely. but what seems to be a lot of discussion on the bill as well as the the disclosure information -- that doesn't do anything as far as preventing the fraud in the first place. that tells me as a consumer, you were robbed and now this is who is going to pay for it. >> if i could answer your specific question about the chip, you're absolutely right. the chip in the card prevents
11:10 am
the card from being counterfeited. that is today the number one source of card fraud in the u.s. it's about two-thirds of card fraud at retail. it does not address the the online issue. the the online fraud issue is addressed by the other layered technologies. >> and real quick on this because my time is running out real fast. the data on the card when i use this chip and i put it through has my number on it. i hope nobody can see this. does the retailer keep that information? >> the retailer transacts that information. >> so if somebody now breaches -- >> retailers are instituting -- many have and all are moving towards it to make sure that information -- >> so it's still a target, not to use that company. but it's still a target for the hacker to go into the retailer, or any. medical or whatever. the hospital keeps that information too, i guess. as a data source, where they'll go and try to breach it, and they won't be going to the retailer to use it. but they'll do it online.
11:11 am
so it's still a target. maybe a larger target. is that true now with the chip? is it a larger target because of that as well? >> i think it's important that we recognize chip technology is really designed to button down the point of sound to defend against counterpoint and losses stolen. it is but one critical layer of security. there's other technologies that have been referenced in testimony here today such as point-to point encryption and tokenization that will protect that data from the cyber breach you're referencing. >> may i add a short comment in response to the notification. >> thank you. thank you so much. so yeah, i just wanted to say i think notification does provide an important incentive to keep information security. someone has written testimony pointed out companies do suffer reputation harm harm as a result of reporting breaches. that is important for
11:12 am
consumering voting with their wallet as they're determine which service to go with. >> time has expired. the chair recognizes the ranking member of our capital committee. i think the button hadn't been pressed. >> thank you chairman and ranking member for putting this together. st it's an incredibly important issue because it protects everyone. consumers, governments, retail institutions. and i want to commend you putting forward a bill to create a national security standard for all businesses that handle financial information for consumers. this would strengthen the security but in a way that's flexible and can can evolve as cyber threats change and evolve. i am still concerned about the scope of the state preemption in
11:13 am
the bill and i want to keep working on the preemption and enforcement provisions. but i have signed onto this bill as a cosponsor because i think it's a serious good faith effort to tackle l what is a critically important issue to our economy, and again, i would like to commend you for hard work and leadership on this issue. i look forward to working with them, particularly in the enforcement and the provisions in it. my first question is to governor pawle in pawlenty. i would ask -- >> congresswoman maloney, no. the standards have been flexible. and i think congressman
11:14 am
neugebauer and carney have made a good model. >> so in other words they've worked well and not be too burdensome for smaller financial institutions and won't be too burdensome for smaller retailers. i would also like to know your feel gsz about the -- having a minimum or a floor standard. i know that california and oregon have a standard that's higher. i think it's important you have to have a floor. do you think it should be a floor, or do you think it should be a ceiling and why? >> congresswoman, again another great question. right now we have nothing. >> right. >> in many sectors so something is better than nothing. floor would be progress. but ceiling, if it's set high,
11:15 am
you know i would just encourage you -- in minnesota when i was governor, we passed what we thought were nation leading data protection standards and notification standards you wouldn't want a bill to undercut the the 13 or so states that have done this. so if you're going to set it set it high. and i think that would be the best place to be. and think about how they store data, the fact that there's wide variance between states, it doesn't sync with how it gets done. >> as a governor you know how valuable the creativity of the government is to come out with solutions adopted in this area. it seems to evolve every day with new technologies, new ways to threaten consumers, and really the security of our information. i would like to ask steven orphy, given your organization's experience in establishing data security protocols and
11:16 am
procedures, what would you say are the most important aspects of a company's data security plan? in other words, what is the most important thing that a company could do to protect their customers, to protect their company against data breaches? >> thank you congresswoman, for that question. i think what is most important is the pci standard in our view against the data security attacks. it really becomes a question of vigilance. and being methodical and disciplined in your approach, and looking at and paying special attention to the fundamentals. to the blocking and tackling. looking at the physical and logical security. it's day in and day out. it needs to be 24/7. it needs to be built into the dna of an organization from the ceo right down to the working level. level.
11:17 am
>> okay. thank you. you mentioned in your testimony mr. -- oxman, that you thought that sharing information was so important, and can you just expand on that, on what we need to do additionally in expanding information in this area? >> thank you congressman maloney. the issue is companies are barred from sharing cyber information with each other, and in some cases with the government. the house passed a measure that we support, that will eliminate those impediments to that kind of important information sharing. we support that legislation. we hope the senate will move forward on it, and we need to make shire that companies can without liability share information with each other and the government to prevent future threats. >> thank you, my time is expired. thank you. >> chair now recognizes the gentleman from missouri. the chairman of the housing and insurance sub committee. >> thank you mr. chairman. >> i'm kind of curious. i want to approach this from a different angle this morning from a standpoint of you know
11:18 am
when we have a data breach and whose fault is it? if somebody is at fault there's going to be some liability. and it seems to me and my experience is from the institutions i've been aware of. and i appreciate the governor's description of who winds up paying the bill on this, but generally the banks wind up or the financial institution that issues the card originally are the ones that wind up footing most of the bill. and it would seem to many that be that at some point as a regulator, i would think that you would go into a financial institution and see a number of retailers. and we had a supermarket that issued debit cards. and suddenly esh in the whole area, the whole region, actually the information was broached. there was a tremendous cost to the financial institutions, and it would seem to me as a
11:19 am
regulator, you would like at this as a liability exposure from a stand point of what you're going to have incur from the retailers not having adequate protections. from mr. dodge's perspective, it looks like i would think that the regulators would ask the financial institutions to force the retail folks to have a policy in place an insurance policy in place to protect them against the data breach, so that the banks will now be in the fallback position for a data breach. government, would you like to comment on the thought process? am i off on that. >> i think you've connected the dots exactly correctly. on your last point about cyber insurance, that's an evolving area. some think traditional insurance covers it. there's some uncertainly about how to underwrite it when you can't get your arms around the magnitude of it. so that's an evolving and developing space and one that is -- >> how do the standards fit into that situation? >> well, the standards fit into
11:20 am
that because if you set standards like the financial services has on the ere other sectors and we get resilient systems, that's good for financial institutions, the payment system, and frankly it's good for everybody involved. i will say to the chairman's point on energy and commerce bill, that's a bill that has reasonable standards. we're going to get a bill one way or the other in the country because everybody is suing everybody. over the time the courts are going to develop a standards to be reasonable. it's too slow and it's too vague. or you're going to have states doing a hodgepodge standards. some of which are great, some not too great. so congress can play an important role here putting this out quickly. >> mr. dodge, would you like to comment on my question? >> yeah, first the suggestion that banks are not reimbursed in the wake of a data breach is simply not true.
11:21 am
as we talked about earlier there's three major ways. first is the fees they pay on every transaction. and then after a breach through the contracts they sign through the card networks there's a form you law for reimbursement. >> if the banks have an issue with that, it's with the the facilitator, which in this case is visa and mastercard. retailers sign that. and if there's a question then there's certainly the legal avenue for resolving that. >> my question, though with regards to exposure, liability exposure that a bank would have with regards to this situation, if you have a lot of retailers, and this seems to be almost an epidemic. every day or week you have another entity that's been breached. if that's the case, pretty soon the institutions will have a liability sitting there. if you do a lot of commercial lending to retailers, i see that as a problem that's going to
11:22 am
have to be fixed. i would assume you would be supportive of the idea of having retailers purchase the liability of some sort to protect them as well as the institution against the breach. >> so as governor pawlenty said, the sub insurance market is a new market. but many retailers are buying that kind of insurance. there's no question about that. but the level of standard. the suggestion there's no standard on retailers is -- by the fact that there's 50 cases where some of which were retailers, many rr not were strong enforcement was brought down by the federal trade commission. t the enforcement includes not only fines, by allowing them to take up residence in the business for 20 years. so there are very, very strong standards. >> i have a few seconds left. mr. orfei i'm very disappointed you gave everybody the password to my computer. but with that i yield back. >> thank you sir.
11:23 am
>> gentleman yields back and better put fraud alert on his credit cards. chair now recognizes chairman from california, mr. sherman. >> governor pawlenty, i do weird things h that cause my credit card company to get very concerned. like i buy gasoline in los angeles. and a day later i buy gasoline in washington. so of course their computers flip out. you would think what they would do is send me an e-mail. but they don't. they either call me, usually at the worst possible time, or if they're too lazy to do that, they freeze the account and force me to call them. is this entirely because they're not handling it right, or is there something in our statutes that we could do to facility or prod credit card companies to check with their card holders by e-mail rather than by telephone?
11:24 am
>> congressman, great question. i've had some interesting experience with cards myself. >> you engage in similar unusual a activity. >> well i'm not admitting to unusual activities sir. but anyway, as to -- >> we have another guy going to iowa. >> i think the concern that you raise is a good one, but it is being addressed in rerealtime by technology. the controls you can now set on my cards are getting really good. so for example on one card that i have i can get a text or e-mail alert if it goes over any amount. if it goes over a certain number of transactions per month. i can get a text or e-mail alert if it goes over a certain amount. soon i think i'm going to be able to get an alert. >> i'm not looking for more alerts. i'm simply looking for them to contact me by e-mail rather than by phone or freezing my account without telling me about it.
11:25 am
>> short answer is i think if you can't, many cards already do or will offer you the chance to be in the driver's seat as exactly how you want to get that message. >> i'm sure your members are aware of -- i mean we're here talking about how to upgrade the technology and i'm hoping e-mail is -- >> if you can't, i can recommend a card that will get it to you. >> not with the united airlines miles. basic economic theory is that you apply liability against the entity that should be investing in safety measures. so that you get that entity to spend the appropriate amount of money on safety measures. retailers ought to be spending more on safe toy to protect the consumers and the entire business system from the extraordinary costs that happen every time somebody hacks into one of these accounts.
11:26 am
but retailers face no liability exception the the reputational liability, which asmiss moy referenced. then we have the less known about data breaches where the media doesn't know or merely reports too the general public some of the data breaches. is it problematic that consumers at some stores may have their data hacked, but never hear about it and does this mean that the the merchant that has mishandled data faces no liability and no reputational risk? miss moy in order to have that reputational risk, do we need to do more to make sure every data breach is known? >> yes, i think we do. and i think there are a couple ways to do that. one is to make sure, as i mentioned multiit will times. that the bill is written in such
11:27 am
a way that consumers consider personal that they would want to be notified about but currently might not be notified about. for example, e-mail address and password. it's one a lot of retailers hold. if my e-mail address and password are breached, i would certainly like to know about it. and another thing that could be done, is again, sorry to be a broken record. but providing the state ags with the authority to enforce is really important because they will help work to make sure that these breaches are notified. and in particular, many states have a threshold for notification of state ags and for consumer reporting agencies, it's much lower than what we have seen in a lot of federal legislations, and a lot of the federal bills we've seen proposed, the threshold -- i believe just a couple of months ago the massachusetts
11:28 am
state ag's office appeared at another hearing on breach notification and data security. and they said that the average breach -- the size of the average breach was about 74 consumers. so it's really important that we have state ags working to make sure the consumers are notified. >> congressman,s if i can just jump in on that. >> i'll add another question and let you jump in on both. we're proposing federal legislation. is the work of the state ags and the states enough to prod retailers to spend enough on safety? >> so to your question about liability, retailers face considerable liability. obviously reputational harm. you cited that. and at the state level there's enforcement liability. and the prospects of consent decrees that could allow them to take up in a business for 20
11:29 am
years. >> do the retailers face enough reputational and financial liability to spend enough on safety, or do we need to spend many? >> i would respond with a rhetorical question. how is the current system working? not so good. >> the verizon report says 2100 breaches last year. 277 were financial institutions. 166 were merchants. there is a thousand times more merchants. so the the standards that are applied to the financial stree are not perfect. >> time of the gentleman has expired. the chair recognizes the swre man from michigan. >> thank you mr. chairman. i appreciate the opportunity, and spending the time with you all. mr. orfei, over here. hiding back here. but real quickly, while we're on the breaches i would say mr.
11:30 am
garret's credit card has purchased three things online is available widely on a russian website. but in all seriousness, though that is the concern all of us have, right? is when we're calling in swrr or buying something online in a very transient kind of economy that we have we all have a serious concern. but i'm curious mr. orfei, from your perspective, have you evaluated how many breached companies are in compliance with your standards at the tame of your breach? have they had the standards and then it's caused them to take action? or did he was them already? >> what i would reference is the revie on reverizon report. and the findings, there's two significant data points that i would give you, congressman. one is that 99.9% of the
11:31 am
breaches were preventible and covered by the pci standard. the second point is that i think that the pci standard has done a very effective job, and there hasn't been one single congress miz where the the merchant or the entity was found in compliance. >> okay. i'm a former state legislator as well. and governor, good to see you again, and i, like you, i had those situations where we're sitting in state capitols and we go what in the world is washington trying to do to us now? yet, at the same time, i understand when you have states doing various actions and not coordinating and often times that's something like counsel of state governments and other organizations like that trying to get states to harmonize
11:32 am
often times. but what i'm struggling with on this, and miss moy, you mentioned this earlier but -- as did my friend mr. neugebauer, how does setting a national floor but then allowing states to maintain a patch work of other requirements, how is that different than what we had now you? you said we would go from 47 regimes to 48. so help me out somebody, with what we do on this. i would love to hear from governor pawlenty. >> congressman, i would think about this -- i'm a big fan of the tenth amendment. i'm a big fan of states rights, and public policy at the state level. i believe in all of that profoundly. but i've come to think of this issue as a threat to the national security and critical infrastructure of the united states of america. not just in the payment space, but in the ability to do most of
11:33 am
what we do and so i think it rises to the level of being worthy of being viewed in that light and setting the table nationally because it does threaten our ability to function and presents taken to any sort of reasonable extension, a threat to our economy and our nation's security. i could walk you through the scenarios, and they don't take a lot of imagination. it rationalizes an aggressive pull. >> and that's what i want to stress. whether this is part of commerce clause or how this is affected. miss moy, quickly. >> yeah, thank you so much. ch so just to repeat again. i think most states certainly with breach notification, there's a common core of elements that we see across the various -- across the 47 plus laws. but i do think it's really important. i believe in your own state there's a harm trigger for the
11:34 am
breach notification law that is broader than just applying to financial marm. it's really important that we take that into account, as governor pawlenty has said. if we're going to set a standard, let's set it high. let's not reduce protections. >> and i would agree. i think it would have to be high, and somebody help me out on what mr. sherman has said. he doesn't want more notifications. i'm confused if you have an e-mail breach how are they supposed to notify you through e-mail, if that's been breached. so what of this cry wolf over notification, is that a real concern? >> congress man, we think that it is. we think it's important. i align myself with the most recent points made by the governor. we agree entirely on this. we think it's important that consumers get information quickly and information they can take action on in order to
11:35 am
protect themselves from financial harm. a standard beyond the financial harm would suggest customers to repeat notifications. and the worst scenario is the customer would stop paying attention to the notifications and protecting him or herself in the wake of something that could put him or her at risk. >> in order to determine the answer to that we should really look to the the state ags who have a ton of contact with consumers suffering from breaches. and in the words of illinois attorney general state ag i'm sorry. illinois attorney general lisa madigan, consumers may be fatigued over data breaches, but not asking to be less informed. >> the time of the gentleman has expired. the chair now recognizes the gentleman from massachusetts. >> thank you, mr. chairman. i can barely see you guys. but we'll try to communicate. mr. chairman, i would like to submit a letter from the massachusetts attorney general for the record. >> without objection. >> thank you. >> gentlemen does anybody at this table think five or ten
11:36 am
years from now that data security, the issues and the challenges you face will be the exact same that you face today? does nibble belief that to be true? >> technology is changing so quickly, congressman, i think it's highly unlikely the issues will be exactly the same. >> i mentioned in my written testimony that allow you to photograph the physical keys to your house and car. >> that's great. i don't think so either, but then again i don't know much about technology. i struggle with a cell phone, and you know, that's life. one thing i do know is something is going to be changing. and i guess i raise the issue because to advocate for a congressional solution with no ability to change a year two, three, four years for now, you're sitting here today because the congress is last to
11:37 am
the issue. states are first to the issue. like in most issues. the federal government is often times the last one to the fight because we're the biggest. we're the most diverse. that's the way it's always been. yet you're advocating for a situation that we have one great -- let's assume it's a fantastic law that has no ability to be upgrated through regulations, which is why we have regulatory bodies because they can act quicker than us, except come back to us and ask us to do this all over again. which in it of itself is to me the main problem here. but the other issue is i don't know where any of you live, but i'm going to presume -- since it's all port of associations, that you must live in the general washington area, at least have an apartment here. do you think that the federal government, the epa should tell the state of maryland that they have to live only to federal standards on their drinking
11:38 am
water? that the state of maryland would be totally preempted from saying no, no no we like ha little less arsenic in the drink water than the federal government requires. you think the state of maryland should be told sorry, you can't do that? >> congressman i spent seven years in the great commonwealth of massachusetts. i think you raise a very important question. that is how can we bring uniformity to an issue with nationwide implications, and indeed international implications. without interfering with the the power of the common wels. >> not just the power the responsibility. i like the idea. i've gotten in trouble on a regular basis because heck i'm a lip ral democrat. i'm all for federal regulations. regulate everything. don't worry about it. but then again. i didn't know some of my friends on the other side want to join the socialist party.
11:39 am
you know. welcome. bernie sanders has cards. you can sign up. that's my problem. i love the idea of creating fan s sfran standards. but i like two other things. i like flexibility in that. let's be honest. most members of congress we are not technologically came capable. i call my staff all the time. i kick the damn things. i drop them. this is broken seven times because i throw it. and i know none of you have ever done that because you're technologically capable. we need flexibility. whatever the threat is today is going to change tomorrow. that's the only thing i know. >> that's right. and i would submit the eta supports the approach taken in this bill because it has the exact flexibility that you're talking about. it doesn't dictate the federal standards and in fact makes it very clear it's not up to the
11:40 am
federal government to dictate how we protect a security but it is a requirement to is that the security be implemented. we also need somebody who knows what they're talking about. and number two, i really don't see why you would want to take away the ability of the t states to be more flexible than anybody else. holding to a minimum standards, f absolutely totally agree. we have the same issue on everything that we do. every financial issue that we deal with, we deal with this h issue. how much of a federal standards including, you know, we deal with insurance every day. insurance is totally regulated at the state level, and every time we come close to thinking about the federal government everybody gets worked up because the states do it. i strongly suggest if the concept is right the approach needs to be significantly exchanged on those issues to provide flexibility, number one, and to maintain the state's ability to do with as they see fit. >> i thank you gentleman. and now the jegentleman from wisconsin, mr. duffy is
11:41 am
recognized. >> thank you, mr. chairman. and it's nice to see that we're making news today. ment my good friend. also great officials of you throwing your flip phone around the capitol. he was a state legislator. i was not governor, but i was a former hockey player like yourself. do you agree with mr. dodge that the banks don't pay any fees on the data breach? i haven't heard a response to that claim? >> the banks, again the system of how this is all sorted out is complicated. but it's certainly true that the issuing banks pay in all sorts of ways, if there's a breach of the cards. as well as making the consumer whole through a complicated series of transactions. >> okay. just to be clear, does the whole panel support federal preemption? is that -- does anyone disagree with that concept?
11:42 am
i think i heard everyone say they agree. >> only if it's a high standard for consumer ls. >> i just want to understand. talking about when the card is present, what percentage of the fraud comes from fraudster who steals data and reproduces cards and makes purchases as opposed to, you know the guy who had his wallet lifted and someone goes in and uses actually the card? >> the majority of it, excuse me congressman, the majority is people scraping cards and useing counterfeit cards. >> so when we talk of chip versus chip and pin if we at least get to chip we're going to address a vast majority of the fraud taking place right now when the fraud is present? is that fair to say? >> in a static world it would have an effect. but we don't live in a static world. there's a single line of defense between the fraudsters and their ability to commit fraud.
11:43 am
they'll focus all their energy on that. we've seen examples already. we've simply argued that one of the baseline tactics of cyber hygiene is two-factor awe thebt authentication authentication. >> more pocket thieves out there? >> no, no. i'm saying fraud sters will develop new and innovative ways to crack the chip and commit fraud. >> congressman, duffy if i may, the chip will defend against counterfeit at the point of sale. it will buckle l down on the physical environment. the fraud will then move to the environment. it's what we observe in the european communities that have chip technology. now the chip technology you cannot clone it. so what we'll see is, it will migrate. >> so how far away for online purchases. >> it's a technology that's been around for ten years. and now the acquiring community
11:44 am
and technology vendors, the price point has come down. point to point encryption coupled with tokenization, is how we get to devaluing the data so it's useless. >> so with the card not present for online purchases the technology is there but not implemented yet? >> apple has what i call an early stage version of tokenization, and it's had other breach issues. but it's one of the first tokenization platforms to come to market. >> i want to be clear. so when we have a chip, does a retailer are they able to maintain data about the card in their data base if you just have a chip card? as opposed to a magnetic strip? >> again congressman, the chip is just going to work at the the point of sale. zblf listen, we've heard about the retailers with data
11:45 am
breaches. if we migrate to the exclusive use of chips, does that mean that retailers are no longer keeping personal consumer data in their data bases? >> no, sir. >> which means they're not at risk to have breaches any longer? >> no, it's just taking off the threat at the buoyantpoint of sale. it's a critical layer but not a silver bullet. on the back end. the information could be replaced by tokenization. could be protected by point to point concern. >> what recommendation on how long retailers are keeping financial information about consumers? how long should a retailer keep that information? >> it's really not necessary to keep that information. >> so -- >> congressman, if i could just jump in. >> sure. >> many of retailers have introduced encryption, so if it was acquired it would be in a format where it would be useless to a criminal. further, they have no desire to keep information they don't need -- >> but do they need any
11:46 am
information, is my question? could actually retailers after 30 days wipe those data bases clean so you don't have, you know, six months of consumer data, or a year of consumer data. isn't that really one of the risks that we have so much data being store edd, not just from the government but from retailers. >> the information is designed to give them what they really want. the element of consumers have voluntarily said we want to be able to you have this information. >> i don't know that i've ever been asked. their service is offered to me and that information is kept on my card. . and i do think there's a consume consumer protection issue here when we're not asked. >> time has expired.
11:47 am
chair now recognizes the gentleman from texas. >> thank you, chairman and ranking member waters for holding this important hearing today. and thank you to our panelists for your testimony. i request consent that my statement made part of today's record? >> without objection. >> my first question is to the honorable tim pawlenty and miss laura moy. how can a federal data security standard that creates a floor provide for more consumer financial security while at the same time providing certainty to industries that would need to implement such a standard across all 50 states? >> congressman, thank you for your question. for certain sectors not including financial services and health care and a couple others, they don't have standards
11:48 am
currently, other than than in the 13 states or so where they have them. so by congress creating a floor or a ceiling but we hope a high standard that is for the whole country, you will lift the game and the expectations and the legal responsibilities for those sectors in those places that don't have a standard currently. and again, this is migrated to international proportions. and i think if the members of this committee knew that russia or china or semistate agents were about to compromise the payment system you wouldn't say let's kick it to the states. let's let them handle it. i don't think you would do that. whatever you do will be helpful, even if directionally. it will be better than what we have now for the sectors that don't have in i standard in those states. >> miss moy? >> right, so i would say a couple of things. one is that consumers are protected right now by the federal trade commission section five authority, and the ftc is enforcing that.
11:49 am
as we've heard they've enforced over 50 cases since 2001. and consumers in the other 47 are, you know -- 47 states and three jurisdictions are protected by breach notification laws. so there are protections existing for consumers. i think setting a floor and not a ceiling, as i've mentioned before, there is a clear pattern in terms of what's covered, even by the disparate state laws. so as a practical matter, most companies that have to comply with the laws of multiple states are just complying with the strongest standard and are mostly okay. the other states, including -- in fact, many states have a provision that allows an entity to notify some of the -- some consumers who have been affected by a breach under the standard of another state. but i would add on that if we are going to have a federal preemptive standard, as i've said before, it has to be a high one and not only in terms of
11:50 am
what the security standard is, but in terms of what information is covered by the bill. that's a critical element that i think we might be missing here. >> thank you for your response. my second question is addressed to mr.knoxman and mr. brian dodge. given the ever-increasing sophistication and sheer number of cyber-attacks on our financial institutions and markets could do you not athink a catastrophic attack which can have severe repercussions on the financial system as a whole is imminent, and what can the federal government do to help prevent such an attack or prepare to respond to such an attack? >> thank you for the question, congressman. the possibility of such an attack is always on the minds of the payments companies that eta represents. and preparation for those attack is, of course something that is always included in all the operational plans of the companies we represent.
11:51 am
our sincere hope is that something like that never happens. we do recognize the important role infrastructure plays in powering commerce in this country and protecting our customers be they merchants or consumers is always top of mind. we are focused and prepared for that. it is our sincere hope that nothing like that comes to pass. >> thank you. >> in terms of your question about what congress can do i think the focus on data security to avoid such a catastrophic event is incredibly important. we believe that the way that you get yourself to a stronger environment is layers of security. and congress can help with that by doing as the house did last month, passing information sharing legislation. but also as we're talking about today, providing clear and strong guidance for businesses on how they should maintain their systems to ensure cybersecurity. and then providing the flexibility for businesses and for regulators to adapt to that threat over time.
11:52 am
there's no doubt that the threat is increasing, the level of sophistication is growing fast, and we need to be able to stay involved. the last point is we need to look to where our greatest vulnerabilities are. the greatest vulnerability now is the merchant community. the weakest technology -- security technology enabled in the world today. when we move to chip technology without the pin like has been instituted in the rest of the industrialized world, we will still have the lowest level of security in the world, and fraud will continue to flow toward us. >> thank you. my time has expired. i yield back, mr. chairman. >> time of the gentleman has expired. the chair recognizes the gentleman from south carolina, mr. mulvany. >> thank you mr. chairman, and thank you to everyone on the panel for helping us try to do something we don't do enough, try and collect information, which is what i'm trying to do. i'm not here to beat anybody up. i have an honest-to-goodness question. i think it's directed to mr. polenti and mr. dodge.
11:53 am
i welcome everybody to chime in, okay. say that mr. caplano steals my credit card which is possible because he's that kind of guy even though he's not here yet. he goes to the -- he goes to my local gas station or his local gas station, slides it in there happens to -- maybe he knows my zip code. and buys the gasoline with my stolen credit card. i catch it when my statement comes in next week or get an e-mail, which i think is a service my bank provides which i enjoy. i catch it call the bank and say someone stole my credit card and used it to buy gas in massachusetts. they say, okay, we'll take it off your bill. who eat that loss? the i are tailor, the bank -- the retailer, the bank, who eats the loss for the gasoline bought with a stolen credit card? >> first i would say if a pin was required the fraud would have never occurred in the first
11:54 am
place. >> okay. >> you wouldn't have that. secondly, there's a difference between data breach, fraud repayment, and traditional fraud repayment. >> okay. >> there would be based on the contracts that the retailer signed with the card networks there would be an evaluation of where was the weakest link in the system. so if it was a stolen card it was reused, then it would probably -- i don't know the answer. that's how it would go. it is determined by -- >> whoa, whoa. is -- >> but on -- in many cases, almost all cases an element of fraud was charged back to the retailers. >> mr. polenti? >> initially somebody has to give the cash back if it's a debit transaction or value. >> again, i'm -- >> it's the issue -- >> the credit transaction. >> it's the issuing bank and they sort it out afterwards as to who pays what. in terms of who eat most of it initially in our view over the long term of the discussion, it's the banks. >> here's why i ask the question guys. and -- i have my banker friends
11:55 am
come in and tell you, look, we have to do something because we eat all of this loss. last week, i had some convenience store people come and say, look we have to do something because we eat all of this loss. are both of them eating a little bit of the loss? is that what comes down to? i see some nodding their head, usually a good sign. >> i included in my testimony a schedule of repayment that shows the fees and structure of the contract that obligate merchants to repay in the wake of a breach. those are reissuance costs, costs to reissue cards, and. fraud, fraud associated with the breach. every day on every transaction processed, the merchant pays a fee, an interchange fee swipe fee. an element is for -- whether fraud happens or not, they prepay every day. how that's divided up by the banks is a great question for them. but we know we pay it on every single transaction. >> i got it. >> congressman, if i could -- >> please, yes. >> the hypothetical you asked
11:56 am
has a simple answer. that is the card issuer is responsible for that fraud. a lost and stolen fraud you described is never the responsibility of the merchant. since your card was stolen out of your pocket and hadn't reported it stolen when the card was used and transaction authorized by the bank at the gas station, the issuing bank has responsibility. you don't and the merchant doesn't. >> thank you. i think that leads to my next question. does the analysis change -- i think i've got it now -- for a stolen cart, capalano steals my credit card, i get it -- he would do that, too. what if the card is counterfeit? is it any different if someone gets it from target, gets my information from target, create a counterfeit card and use it, is the outcome different? is the distribution -- who bears the loss different? mr. oxman? >> as it stands, the analysis is exactly the same in the case of a counterfeit card. the issuer would have responsibility for that. the merchant would not. the migration to emv chips that we've been talking so much about this morning actually change that calculus.
11:57 am
and the responsibility for the fraud after october of this year will actually fall on the party to the transaction whether it's the merchant side or issuing side that has deployed the lesser form of security. not to get too complicated, but if that card that you're talking about has been counterfeited and it was a chip card and the issuer has issued chip cards but the merchant hasn't installed chip readers then the merchant will have responsibility for that fraud. that's a change to the current system which is the issuer takes responsibility. >> then finally, if i can have the indulges of the the chairman for 15 more seconds, the third example of fraud is the online fraud. there's no card present, we're on line buying airplane ticket. who bears the risk of loss on that one? >> merchant 100%. 100%, the merchant. it's subject to the fraud cost. >> gentlemen, thank you very much. i appreciate the information. >> time of the gentleman has expired. chair recognizes the gentleman from missouri mr. clay. the ranking member of our financial institution
11:58 am
subcommittee. >> thank you mr. chairman, and i'm wanting to note that i am so glad to be back in this refurbished hearing room. let me ask you know at the end of your testimony that not a single company has been found to be compliant at the time of their breach. but in many cases firms that have breached were at one point pci compliant. how does your compliance framework lend itself if at all to ongoing monitoring of pci compliance, what role does the pci play in monitoring compliance? >> thank you for that question. yes. 99.9% of compromises were preventable and covered by the standard. and if you think about our standard, what we're advocating is a move away from compliance to a risk-based approach.
11:59 am
and we are advocating vigilance and discipline and being methodical in close adherence to the standard. security is a 24-by-7 responsibility. it's not a matter of compliance, what we see happens is a company works diligently to bring its organization into compliance, they high five each other on thursday and friday the environment starts to deteriorate deteriorate. it's about being disciplined, methodical, and paying attention to the fundamentals, sir. >> thank you for that response. mr. oxman, although chip technology is fairly new to the united states, it's been around for decades and is ubiquitous in other parts of the world. given the rapid pace of tech technological development, we not at the point where other types of security measures are more appropriate for use in
12:00 pm
connection with u.s. payment cards and payments in general? >> thank you for the question. you're right that the chip is a well-developed technology. the good news is the payments industry recognizes, as you've heard this morning, that the chip addresses one type of fraud that happens to be the most prevalent form of fraud here in the united states today. that's counterfeit card fraud. so the chip implementation will address that type of fraud. but as you noted, other types of security are important, as well, which is why our industry is deploying a layered secured technology approach which includes the chipping cards. but tokenization which replaces account information with a one-time-use cryptogram that can't be reused. it secures all entry point into the payment systems. that layered approach with multiple different technologies, as you suggested, is in recognition of the fact that the chip card addresses one type of
12:01 pm
fraud, but we need to do much more. criminals are much more sophisticated. >> thank you. for anyone on the panel how prevplenty is fraud in the -- prevalent is fraud in the case of online checking? is that pretty secure can anyone respond to that? >> online checking? >> yes. >> certainly e-commerce is an environment where there's limited security options for merchants to employ right now. it's a frustration that e-commerce is such a big part of the economy and no strong means of security is a considerable frustration. back to your first question a moment ago, though, i want to note that jason's point about all the levels of the different layers of technology is a good one. that we need to be evolveingevolving finding ways to make tokenization and encryption work specifically for the e-commerce environment. today there's 1.2 billion cards
12:02 pm
circulating in the united states. most of which have technology in. it later this year whether we see more chip -- when we see more chip cards, we'll see early how it 2,000s technology. we need to do a better job of errors occurring. >> thank you very much for your responses. mr. chairman, i yield back. >> the chair recognizes the gentleman from north carolina, mr. pittinger. >> thank you mr. chairman. thank you for hosting this hearing. and thank you, each of you, for being with us today. governor pawlenty, according to the identity theft resource center, financial institution's responsible for less than 6% of breaches in 2014. some could draw the connection from this fact that the financial institution has been subject to the glam
12:03 pm
graham-leach-bliley act since 1999. do you think this is fair? >> i do. i i don't think there's disputes that the financial sector has the best defense and capability and resiliency in the space. as everyone knows in the room, even financial institutions get breached. relative to other sectors we're more advanced and get breached less. that's not a bragging point, it's about what caused that. it caused investment caused by investment, hard work, technology. and i believe that graham-leach-bliley set a standard, and people tried to adhere to the standard. plus, we get examined by regulators to the standard. i would say that contributed to the state of the industry's cyber-defenses in the relative good quality of it. >> thank you. yes, sir? >> congressman, i would note that the annual verizon cybersecurity report is sort of considered to be the gold standard for cyber-reporting. it found last year there were 2,100 data loss cybersecurity intrusions. of that 277 financial
12:04 pm
institutions and 167 were retail businesses. there are 1,000 times more retailer operating in the u.s. i don't think we should have the philosophically that a single regulation can guide us to successful cybersecurity -- >> mr. dodge, let me build on that. building on the chairman's statement earlier and reference to legislation, it does to develop and implement a program that ensures security and confidentiality of sensitive information, it is appropriate to the size, scope and sensitivity of this information. this is written to create some measure of flexibility so the standards are modified. do you think this is a good approach in terms of creating flexibilities of standards? >> so, you know, we applaud congress for looking at lot of ways to address this issue. i think what's important is that we look at the regulatory environment as it exists today and recognize that the
12:05 pm
graham-leach-bliley act was written specifically for the financial services community, and there's a very strong regulatory regime that applies to most of the rest of the business community. and that is enforced through the ftc. the ftc has moved aggressively over the last decade and established a clear and strong set of standards that businesses have to comply with. we think that is the way to go -- >> let's refer to this. it says the provision of the bill says a covered entity's information security program shall be appropriate to the size and complexity of the covered entity, the nature and scope of activities of the covered entity, and sensitivity of the consumer's financial information to be protected. what other flexibilities do you see would be needed that would ensure that consumers are protected but not prevent adaptability for future threats? >> so the language that you site is not dissimilar.
12:06 pm
we think busy have to have -- we think businesses have to be a clear understanding of what enforcements are. and the agency as the ftc does today has the ability to evolve the interpretation of the law over time to meet new threat. and businesses of different sizes and businesses that require that they collect different kinds of data should be treated based on their size and the kind of information -- >> and this legislation seeks to do that. isn't that right? >> based on your -- what you quoted, that sounds right. but as i've said, we believe you need to look at the regulatory environment as it exist today, and work within that. the debate here today is it how do we pass a law that could provide businesses with more clarity and the ability to evolve with the threat. i don't care that the objective should be to shoehorn a law that was written for one industry to apply to the entire business community. >> i don't think that's what this does, according to what i read. i think it clearly states the
12:07 pm
proifgsz provisions reflect the size, scope -- it personalizes it, krets the flexibility. >> and i appreciate your focus on that because we agree with the need for flexibility. we simply are looking at the proposal in its entirety and it's hard to separate thing out without talking about how it would affect it when it's merged together. >> thank you. i yield back. >> the gentleman yields back. the chair now recognizes the gentleman from massachusetts who did not steal mr. mulvaney's credit card in its hypothetical mr. lynch, recognized for five minutes. >> thank you mr. chairman. i appreciate that. i want to thank the witnesses for your testimony. on the question of federal preemption, when we talk about complete federal preemption we're talking about a federal standard and at least as far as this legislation goes, we're talking about federal enforcement as well, that's
12:08 pm
being taken away from the attorneys general of the states. even further it looks like the notification for breach will be taken away from the fec and given to the ftc. consolidating that, as well. as well it might involve, if i'm -- i'm not sure if i'm getting this correct. if we have a federal standard and a retailer or business complies with that federal standard, does that inl ply some type of -- imply some type of immunity for the individual retailer if they're complyinging with what the feds require, is that holding them harmless from any liability? >> i'm sorry, you mean in an environment where there is -- this creates a floor and not a ceiling and states continue to have -- >> well this would be a complete oblitration. total reempz.
12:09 pm
you'll have one -- preemption. you'll have one -- it would be a ceiling. would be a ceiling. is that imply inging some immunity or protection from liability for the complying company? >> yeah. a company would only then be liable as it would be held liable under the federal law. any additional obligations of the state through had previously existed would no longer be -- no longer be actively enforced. >> this legislation that would be problematic because, as your testimony indicated, it only recognizes financial harm. there's a chicago ear -- well, actually personal -- there's a financial harm trigger. i think there's also a trigger for very narrow set of personal information. >> actually, i'm not sure if there is -- i thought that i was under the impression that the financial harm trigger applies to everything.
12:10 pm
but perhaps you're right. i'll look at that -- >> if i may, congressman, the provisions of the bill of 2205 also provide for triggers related to identity theft, as well as financial harm. >> yes. although many states, as i noted in my written testimony, either have no harm trigger at all recognizing that consumers want to be notified of breach of certain classes of information and want to be able to safeguard that information regardless of whether or not it could be used for identity theft or financial harm, and -- and a clear majority of states have either no trigger or a trigger that's broader than just financial in nature. >> one of the problems i have is that this introduces a federal standard. and it takes out the states -- massachusetts happens to have a very robust consumer protection privacy framework that i think will be harmed. we also have -- we've been blessed with attorneys general that have been very active in
12:11 pm
defending consumers. and some cases as you pointed out, i think the average case of breach in massachusetts, we had 2,400 last year. the average size was 74 consumers. that's not the type of thing that the ftc will go after in my opinion. >> that's right. that's why we think it's critically important if we want to ensure that all consumers are protected by a federal standard. it's important that we have as many people keeping an eye on what's happening with breaches and working with companies to help develop the security standards and working with consumer to respond after their -- after the information has been breached and to watch out for potential harm that could be coming down the pike. it's important to have the involvement of the state a.g.s in all of that. >> if we did introduce -- i'm in favor of introducing a very high floor across the board that i think would subsume maybe close to 40 states. i would like to have flexibility
12:12 pm
for states that, number one, they're more flexible. congress is not known for speed at all. having the states out with the ability to provide additional protections especially in the face of the sophistication of some of these hackers is very, very important in my mind. there is incongruenty in the bill. it talks about the standard and says every covered entity will be responsible for adopting a system of security protection that is commensurate with their size their complexity -- the gentleman from north carolina brought this up in a different context. how do we we'll do that where a pizza shop, coffee shop a bank, banks were a different class. but each and every company is going to be able to right size the level of protection. but in reality that stream of information that is breached may
12:13 pm
not be compartmentalized. >> i'm sorry, what do you mean the information may not be compartmentalized? i'm sorry. >> if they hack into your e-mail and password, that opens a whole other door of information that they can access that might not be readily evident, you know based on where they entered the stream of information. >> right. sorry, may i respond -- >> a very brief answer. >> sure. yeah. i would say there are log-in credentials that can be -- because people recycle passwords can be used across account. that's an important reason. >> thank you. time of the gentleman has expired. the chair recognizes the gentleman from california, mr. royce, the chairman of the house foreign affairs committee. >> thank you, mr. chairman. there has been a lot of discussion here about the current liability, what it looks like. i guess one of the questions is what it should look like. and if i could ask governor pawlenty, i had a question here.
12:14 pm
when a data breach occurs how should we allocate the financial responsibility for that breach? for example, if a breach of sensitive customer information occurs at a financial institution and it's shown that the institution did not protect the customer information as graham-leach-bliley requires, do you agree that the financial institution should be responsible for the cost of the breach? >> congressman royce, yes. we believe that the entity that was negligent or entities, plural should be responsible for their negligence. >> okay. then governor, should the same be true of the merchant? if there's a breach with a high likelihood of harm being done to the consumer, should the merchant be responsible for the costs associated with that breach to the extent that the entity has not met men mum security requirements. >> congressman royce absolutely. >> mr. dodge i would ask if you
12:15 pm
agree on that point. >> i would tell you that we do agree because that is what happens today. today merchant are obligated if they have a breach by contract signed with the card network to reimburse the banks for the fees associated with the costs. in addition to the fees they pay every day every time a transaction which is obligated to prepayment of fraud if it happens or even if it doesn't happen. fees are being paid constantly. >> the next question i was going to ask governor pawlenty is it's been proposed by some that consumers should receive notification of a data breach directly from the company that was breached even if they have no relationship with that company. wouldn't a simple ever situation be to allow the -- simpler solution be to allow the notice to come from the company that the consumer gave financial information to directly while also allowing the company to identify where the breach occurred if it is known? it's my understanding that there
12:16 pm
is currently no law, no contractural obligation that would preclude a financial institution from identifying the institution where a data breach occurred when sending out a notification to their customer? is that your understanding as well? >> congressman royce yes and of course you might imagine if there's a breach, it unfolds in the early hours and days with a great deal of uncertainty and sense of crisis around it so as people think about what they're going to say publicly and sending out notices, particularly if it incriminates another company you want to make sure that you're articulating that correctly and accurately for fear of liability. i think some companies don't name names in those initial notices over some of those concerns. >> you know, as we look at the cyber-attacks and see this increasingly as we talk to the europeans and asian governments a lot of these are being conducted now by state sponsored
12:17 pm
or state-sanctioned entities. we actually for example, see individuals traveling from a certain bureau in north korea to moscow to be trained. then we see their conduct with respect to the banking system in south korea and the attempt to implode the system in south korea with the direct attacks. what can or should be done in the view of some of the panel here to hold these countries accountable in situations like this? how do we do that? >> to the extent this has evolved into an encourage dynamic and you have state sponsored or semi state-sponsored activity, the united states has to respond in kind at a level of country-to-country discussions and fortunately consequences. as you may know, under current law the only entity that can fire back, if you will in cyber-space is the u.s.
12:18 pm
government. private entities cannot hack back. and so the deterrent or consequences for this potential can only come from the u.s. government. lastly, there needs to be rules of the road internationally. we have rogue states, semi rogue states acting recklessly, irresponsibly in a very concerted fashion. what you see in terms of payment disruption is relatively minor. the consumers get reimbursed. it's inconvenient, menacing, concerning, you should act on that alone. but compared to some not-too-fanciful scenarios where the entire system is disrupted or another piece of critical infrastructure is disrupted, that's something you need to be thinking about. >> we've seen the iranian
12:19 pm
12:20 pm
12:21 pm
12:22 pm
[ technical difficulty ] >> in your testimony you noted the emv chip cards have proven effective. i've got a number of cards to switch out on, make sure you have the chip. one of the questions, this happens with my daughters et cetera, they're doing more and more shopping -- line. people not going to the store as much. they're going shopping on line. and it seems as though that there are more frauds taking place when people are doing this shopping on line. can you stay with us ways in which firms are innovating to prevent customers, consumers who rely more on online shopping so we can prevent fraud in that case? and again like i asked mr. oxman, ways that congress can ensure greater data breach protection as we move away from in-store purchases. it seem as the new generation is on line -- my daughters won't go
12:23 pm
to stores anymore. everything's on line. what we can do in that regards. >> congressman, great question. as was mentioned earlier the chip wards will go a long way toward eliminating or greatly reducing card-present fraud for the reason that were mentioned earlier. that's progress and good and we applaud that and enthusiastically embrace it. as we've seen in the other emv-adopted country, the fraud shifts to the online environment. what happens, of course, is if you make an order on line over the phone, or otherwise, you end end -- use enter your credit card number and code and expiration date, and away you go. if i have that information from you could i can make the transaction on line. it's loose to put it mildly. the future of that in the near term is a technology platform called tokenization which will allow that transaction to occur with a unique set of data that connection -- needed data to finalize the transaction but the personally identifiable
12:24 pm
information isn't it's inially tranmiddle as part. it's -- transmitted as part. it's a token. that's coming. it's just around the corner, and it's in market to some extent. the cost is coming down, the ubiquity -- it's becoming more ubiquitous. that will be a big part of the solution. it was invented ten years ago. there will be something else that will come next. >> the time of the gentleman has expired. the chair recognizes the gentleman from maine. >> thank you mr. chairman. i appreciate it very much. and thank you, all you folks, for being here today. i really appreciate it. mr. oxman, i know you and i both are from maine. probably the safest state in america. we invite all kinds of other folks to come up and enjoy our state. that being said we are not immune to folk who are stealing our credit card, credit card numbers or using our debit cards fraudulently, what have you. we know there's a problem, the problem is across the country, even the great state of maine. that being said, one of the
12:25 pm
thing that i've heard this morning that i'm delighted about is that there seems to be some common ground, a lot of common ground when it comes to the fact that there is an issue with cybersecurity. we all know it's there. you folks all agree to it. even though you're from different parts of this space, if you will. and i've also heard if i'm not mistaken, that there's -- there's consensus that we need. instead of 48 individual laws that we have to deal with at one national standard, it would be helpful when it comes to notification. i'd like to hear from each of you you, we'll start with you governor, if you don't mind terribly, what is on the top of your list? what would you like to inform this committee about that would be helpful for all the players in the space to make sure our consumers in maine's second district and throughout the country are protected with bank accounts credit cards, what have you. what could you advise us today? you're members on the ground. you're much closer to this problem than we could ever be. please tell us.
12:26 pm
>> that's a great question. you think about notification there's a problem, and we need to clean up the mess. that's little consolation for people who have the mess visited. them. it's helpful. as to standards, it will help as people raise their game. i think this entire space is going to evolve in a very interesting and probably disruptive fashion over the next ten years. things we're talking about here today in terms of technology platforms as was mentioned earlier will look very differently ten years from now. i don't think we'll be walking around with pieces of plastic and pins. the whole thing is shifting increasingly to mobile and other ways to make payments. so i would say it's going to come from the technology sector big changes. good changes. >> mr. dodge? >> i'm glad some attention is being paid to collaboration. i think that's an important outcrop from these catastrophes. this focus. last year we collaborated with financial services roundtable and electronic transaction
12:27 pm
association, with a whole bunch of merchant and financial service associations to talk about the challenges. to try to find common ground. collaboration has also found its way into the information sharing, threat information sharing world where businesses can share threat information. the rising tides for -- main term, rising tides lift all ships. the ability to see a threat deflected and share with others what you saw and how you did it. important, and we congratulate congress for passing legislation on that last month. i think one of the thing we look toward is how do we enhance the security to the 21st century and beyond. the card security today is weak. it needs to improve. there's a half step on the calendar for later this year. it's only a half step. we need to get beyond that. we want to see congress focus on that and certainly want to see the business community that's responsible for creating those cards to focus on it as well. >> mr. oxman? >> thank you, congressman. i'm excited about the change in technology we're seeing in our industry. i think if there were one thing for the committee to be aware of, it's that there is no need for an inquiry into the
12:28 pm
technology because the industry is working together to deploy it. you know, my first job was as a bank teller, summer after first year in college, the heart of the second district of maine. and the hot technology in the '80s was the atm machine. today consumers can buy things with a watch. it's amazing what's happening out there. i think the good news from congress' perspective the industry is deploying technology safely securely and reliably. we'll get it done. >> apple parkway -- -- apple parkway, google, four square, these are developing much more than i understand and how to pay with goods and services you buy on line through a mobile device. do you see any problems coming down the road with those types of technology, or is that where it's going to go and where it should go in your opinion? >> this technology is incredibly exciting particularly because it allows us to deploy more robust
12:29 pm
security alongside. the way to think about it is it's a new means of implementing a payment transaction. initiating that transaction, using your watch or phone instead of a plastic card. and that watch or phone or whatever device has many more security capability than the plastic cards. it's a good thing for consumers. >> unless here in this country we go down this path where we continue to work on this problem and find solutions to it aren't we exposing consumers and families and businesses to more cyber- cyber-risk if europe is ahead of us and other developed countries, parts of the world are ahead of us? >> may i have that question? i think technology will evolve and we'll have good answers. particularly mobile will be the future of payments. i think what's key is this information sharing effort that's in progress now. being able to collect information, translate it so it's actionable intelligence, and that will allow us to preempt attacks from organized
12:30 pm
crime, rogue states, and state-funded actors. >> thank you all very much. appreciate it. thank you, mr. chairman. i yield my time. >> i thank the gentleman. the gentleman from georgia, mr. scott, recognized for five minutes. >> yes, governor pawlenty, i'd like for you to address this and they can chip in, as well. with the challenge for our migration of the emv chip technology in the united states basically due by october 15th why are u.s. consumers only now receiving the chip cards when consumers in europe and canada have had them for many years? why are we behind the eight ball? >> there's some unique history as it relates to how europe got to where it is, relating to technology. their telecommunication system, how they did batch processing, how that works relative to how we did it in the united states. i think to sum it up here i
12:31 pm
would say the transition from what we had to what we need and where we're headed next has been -- is a very big transition. think about the millions and millions and millions of point of sale terminals that would have to be chip ready. now only about 25% of retailers can even take a chip card. they would have to flip their systems, point of sale systems back room systems payment networks have to do the same the banks have to do the same. it's a massive transition. you know would we have benefited from it being done earlier? probably. but we are where we are, now we need to get it done as quickly as possible. this is highlighting the urgency of it. >> okay. now, sense we have such a braintrust of cybersecurity before us in this distinguished panel, i want to shift for a moment. are you satisfied and how would you describe the national security threat to our country
12:32 pm
as a result of cybersecurity as a national security issue? i think it's one we really really have to deal with. and how would you relate that particularly when we've had attacks on our cybersecurity from china russia, from iran from north korea isis, al qaeda, other terrorist, now our military bases are put on
12:33 pm
not as comfortable to say we're just going do something uniform across the country. i think this is elevated. not just the card and processing, but many other aspects of this to a national security issue. we have known identifiable threats to critical infrastructure of this country that would impair not just the economy but the health and well-being of our citizens if deployed to any sort of scale. so it is a clear and present national security threat that i think needs to be addressed with that kind of urgency and that kind of seriousness and that kind of weight behind it. >> and congressman scott, it is a question that is answered largely by technology. and thank you for your leadership and taking a founding role in the congressional payment technology caucus because technology companies, including many from the great
12:34 pm
state of georgia are out deploying stocks security networks -- deploying systems networks. and there's no question that the payments industry is focused relentlessly on this because of the national security of networks and reliability of networks and systems is why consumers choose electronic payments as their preferred method of engaging in commerce. we need to make sure that remains a confident factor for consumers. >> and how ready will we be? october's right around the corner. what are your expectations? have we said that date? have we -- is it accomplishable? >> yeah, congressman, the migration in october to the chip cards is a date that we've set as a milestone. and it's a lot of work to do. 1.2 billion cards in consumers' wallets need to be replaced. more than eight million merchants in the u.s. need to
12:35 pm
upgrade their systems in order to accept chip cards. that's going to take some time. we'll be completely finished by october -- the answer, frankly, is no. we won't be all done. we'll be largely there. most importantly the industry is entirely unified in recognizing the important of making this infrastructure upgrade. we're doing it we're working together merchants financial institutions, payments companies, and consumers. we're going to get it done. >> thank you, mr. chairman. i yield back. >> i thank the gentleman. now the gentleman from arkansas, mr. hill, is recognized for five minutes. >> thank you, mr. chairman. i thank the panel for your being with us this morning. on mrs. mahoney's comments about graham-leach and the impact on banks having run a community bank for the entire history of graham-leach's existence, i do think it was flexible in the standards when it comes to
12:36 pm
examination and practice, both in scope of business and not. so i think that's something that's worked well in the financial services industry. one question i have i'd like the panel to react to what role does reliability insurance -- liability insurance play? i know in our company we took out the coverage at the modest premium for notification coverage which was sort of what was recommended by the underwriters. didn't find it very compelling or particularly useful. but in a large breach it certainly would be helpful to pay the out-of-pocket expenses. but what's happening in the liability arena on insurance coverages for entity beyond that? what standard are they setting when they come to underwrite a retailer? let's start with you, mr. dodge, about data breach. there's obviously a mathematical loss for one of your members. >> sure. i'll acknowledge i don't claim
12:37 pm
to be an expert on cybersecurity reliability insurance. i have perspective. first, it's an immature market, pretty new, and rapidly evolving. i know the administration is working on ways to make that a more mature, more competitive market. retailers, many retailers are looking into many have purchased liability insurance as it relates to cybersecurity. i don't have a number, but i suspect the number is growing by the day. and one of the challenges they all face is where exactly do to price it. they don't know how much to get, and they don't know if they're getting a great value for it. but they know that it's important to have. they're working on making sure that that improves over time. i think your point's a good one. >> also in the medical society where over 60 physicians had their identities stolen when they filed their income tax return return. didn't know it until they went to hit "send" electronically to the irs and suddenly learned they already filed their return which, of course, they haven't.
12:38 pm
can you reflect on standards that we've talked about today for that other 80% that we have not -- that's not represented here today? or maybe mr. oxman, you might take that one. >> thank you, congressman hill. and i do think that is an important issue because the harm that consumers suffer from identity theft can in some circumstances be as impactful as the harm suffered from the theft of financial data. and i think h.r. 2205 does a good job of making sure that all entities, not just retailers and financial institutions and payment companies, but all entities that have storage or access to the sensitive personal information are required to abide by the federal standards that h.r. 2205 would put in place. and i do think that's a very important component of the bill. >> anybody else want to add on that? >> well, i think the fundamentals of the pci standard are applicable across all vertical market. i also share your concern in my
12:39 pm
discussions with law enforcement that the health care systems in particular will be the next big target. protecting that data and following adherence to the pci standard would benefit those industries, as well. >> i think it's a little, you know, odd that hipaa, we can't even have a conversation it our aunt's health with a doctor without everybody jumping through hoops. but we've obviously got health care data at risk, that's financial data. and this irs situation is financial loss. i mean i think this is a serious matter. certainly as serious as having your one's credit card number compromised. so i'm glad to hear you say that you have comfort that the standards in this bill will help in this other 80% of the issue that we're not addressing today. thank you. mr. dodge? >> i would say you know, we also endorse a strong, reasonable standard, one that provides businesses with a strong expectation of what government considers to be
12:40 pm
reasonable standard. we believe it should be enforced by the ftc. and we've endorsed the legislation that came out of the energy and commerce committee to do just that. we think it's important as we're addressing this issue that we first look t regulatory landscape -- look at the regulatory landscape, and design solutions that fit within that rather than moving regulation design from one industry, in this case the financial services industry, to the rest of the economy. >> thank you for that comment. i yield back. thank you. >> i thank the gentleman. now the gentlewoman from wisconsin, the ranking member of the policy committee ms. moore recognized for five minutes. >> thank you very much for that elevation. i just want to thank all of the witnesses for taking the time and being patient with us. and i can tell you that you guys almost -- and ms. moy almost answered my questions when other members were asking it. so i do want to apologize if things seem redundant.
12:41 pm
let me start with you ms. moy. you talked about having a federal standard of floor standard. you talked about the ftc really providing that service at this point. i guess i want your opinion or knowledge about whether or not you think the ftc is currently staffed up and resourced up enough to continue the stewardship. how much more would it cost to do it how many more employees would we -- do you anticipate? is there necessity to create a new agency? >> so i apologize because i don't have those numbers for you. although i could do some research and try to help you answer that question. i mean, i do think the ftc is doing a pretty good job enforcing data security specifically with the biggest cases. at the state level, the states are active in this area, as well. also enforceing sometime their
12:42 pm
own data security standard and sometimes a standard that they drawing from there, from the authority of their general consumer protection acts, the mini ftc acts. but -- so i think it's really important, though, to preserve the ability of what the states are doing, to preserve the ability of state a.g.s to continue to provide that important service. and -- and to set our new standards at a level that will continue to preserve protections for pieces of information that would not be covered by the legislative proposals we've seen. for example, in your own state of wisconsin, the breach notification standard would extend to dna and byieobiometric data that's not necessarily covered by what we've seen in some legislative proposals. >> i really would like to know how much this will cost. and in keeping with that same theme, mr. mulvaney was sort of going down this road about who pays for the cost of a breach.
12:43 pm
and on act 1 2015, there's going to be a merchant liability shift. we're at the custard stand here and i've gotten my smartphone to be able to swipe my card. you know how much is this going to cost me or do i just take risks and say i'll just take chances for a few years until i get my business up and start franchising my custard store? how much tell cost me to be compliant? >> congresswoman moore, the good news is for a small business interested in upgrading infrastructure, the costs are very low. you can get a emv chip device from square for $30. >> okay. >> if you want to go that route. or get it from a payments processor for not much more.
12:44 pm
the cost is very low for the merchant. the good news is that october liability shift date that you're talking about, if the merchant makes that installment in the upgrade to chip cards and if the card issue says has issued chip cards, the liability for the fraudulent card rests with the issuer. the merchant is exactly the same as today as long as they have made the investment in the infrastructure. wye don't have liability for a counterfeit card transaction in that scenario. it's good news for the merchant. >> that was the answer that was escaping me this entire hearing. i mean how much is it going to cost gwen's custard stand to do it. obviously there will be a lot of costs for atms and i guess that's a little more costly. how much will it cost to update all the atms? >> yeah, the atms and actually fuel dispensaries so gas stations actually have an extra two years to upgrade their
12:45 pm
infrastructure because it's complicated to actually take the credit card equipment out of an atm or gas pump. they don't have to worry about upgrading infrastructure until october of 2017 for those two industries. >> okay. my last time for governor pawlenty. i guess as the head of the financial services countedtable i guess i'm curious about why it's taken us so long to do this. why we're behind europe and canada. and you testified we're going stay behind. >> some of the countries that went to emv didn't have much legacy technology to begin with. they could just jump to it as first adopters. other countries have other histories like the u.k., for example, in an era where telecom was expensive. they loaded up all the transactions and processed them at the end of the day called batch processing. the ability to do real-time communication via telecom had something to do with how and
12:46 pm
when things evolved. that you will said i think the u.s. has been slow to this issue. but the fact of the matter is we see the need, obviously everybody does, and moving as quickly as possible to implement it and for good cause -- >> mr. chairman, i realize my time has expired. i want to ask governor pawlenty, are the vikings going to be as bad as they were last season? >> did you say the packers? [ laughter ] >> the vikings? >> i think the big question is how do we get some of that custard. [ laughter ] >> the vikings are going to be better this year. >> the gentleman from florida now, mr. ross, is recognized for five minutes. >> thank you, mr. chairman, and thank you, panelist. i can only preface my remarks by thinking back to the early 1980s when i was installing computer systems, 16-bit processors in pharmacies across the eastern united states. we would use a dial-up modem to update drug prices and process data. at thattime "war games" came out starring matthew broderick
12:47 pm
showing how we can hack into the intelligence computer that started an international war game. and we've evolved today to where you go to walt disney world and get a magic band that has all your data, shows disney exactly where you are, what you're doing, what ride you want to be on, all your billing information. the evolution of technology has been a tremendous benefit to us. it's given us the path of expanding our commerce and economy tremendously. and obviously it has given opportunities to those that seek ill will against us. and that's why we're here. one of the institutions of higher education university of south florida, rests in my district. and two years ago, they were designated by the florida legislature to be the center of cybersecurity, an academic program now they have over 100 students seeking masters in this chemical arena. my question is is there a great deal of cooperation between the private sector and the academic sector in trying to innovate ways to continue to fight
12:48 pm
cybersecurity? anybody can address that. >> i can speak up and say i know the retailers who have sought such partnerships have found welcome partnerships. last year we established something called the retail cyber-intelligence sharing center. at the core of that is a retail is is isat and educational opportunities. i know that group has found great partners already in the academy could community looking for ways to identify ways to bring future chief intelligence security -- security information officers through the ranks and to share information so everybody has the best skills available today. >> it seems that would be a good partnership even though that's well over 80% of our commerce in the cyber-world is through the private sector. mr. dodge, let me ask you this question because as my colleague, mr. mulvaney was asking you about who bear the cost of a fraudulent transaction. is it between the banks and the retailers -- is there not in existence any particular either express or implied right of
12:49 pm
indemocrat 95 indication between the parties that would -- indemnicication that between the parties that would allow that? >> who pays after a breach and fraud is spelled out in the contract. the retailers are bound by the contracts and unwillingness to if they violate the contract they lose the risk -- they risk losing the right to accept cards. >> there's a limited negotiation is what you're telling me in order for retail -- retailer want to accept a mastercard, they accept the terms and negotiations without negotiation? >> it's not a negotiation. you sign the contract presented to you. >> okay. mr. oxman one of the things we talked about and you talked about well and in depth, is the electronic mastercard/visa chip. for some time, this has been in practice in the european markets, has it not? >> it has. >> and just recently you know, had it not been for i guess had it not been for executive order we would not be pursuing it as fast as we are
12:50 pm
in the united states. what has been the reason for the delay of the implementation of the chip technology here? >> the reason the chip technology is being deployed today in the united states and it's been deployed already in europe is the following. in europe they don't have the ability that we have here to skriep the card online. that is transmitted to the card issuer for a yes or no answer. when the receipt is spit out 1.4 seconds later with a yes answer it's because that transaction was authorized and improved online. in europe they don't have the infrastructure to do that. the card authorized that transaction. which means that chip isn't going anywhere. that's why the chip infrastructure is necessary in europe. >> now we're protecting the database of all the private information and it's encoding or
12:51 pm
incontributing that transaction with a one-time transaction and that allows anybody who captures that to have nothing. >> that's right. the way the system works today your account number is transmitted. cyber thieves are looking for credit card numbers. there are tens of millions of them there. in a token environment it takes that number out of the equation so there's nothing to steal. >> how fast are we moving in that direction? >> very quickly. >> it's going to become pre predominant predominant. >> again, we have an existing infrastructure that needs replaced. but we will get there. it's a great technology and everyone is working together to make it happen. >> i know we've talked about point of sale defenses today. but after the data has been breached and then the consumer's identity is stolen how effective are some of these companies out there that allegedly protect consumers from having their identity stolen?
12:52 pm
is that good or is it bad or just somebody else's opportunity? >> i can't speak to think companies. everybody needs to be vigilant. you need to monitor yourself. i want to go back to a point you made a second ago which is about advancing the technology in cards that have been in europe for a decade. the migration that's happening in the united states is only a half step. we're not requiring the pin. the pin authenticates the card holder. we believe there's a redundancy approach that's needed in the cards. pin and the chip eliminated -- >> need to have it together and we are not moving to that here in the united states because of the decisions made by the card networks. >> thank you. i yield back. >> thank you. and now the gentleman from arizona is recognized for five minutes. >> thank you mr. chairman. a little discussion, maybe a little way from the legislation
12:53 pm
that's being vetted. mr. oxman, from my listening you seem to be the most technical on the panel. is that a fair -- >> i guess i've been voted. >> okay, can we walk through a couple mechanics? first, the philosophical box i want to work from is if you and i wanted to design as robust a system as possible, i'm not asking practical but possible today where i still have the use of my financial instruments my credit cards online at the retailer in any fashion it may be. what would i be doing? when we sat through something in this regard a couple years ago we had such high hopes for the tokenization handoffs and
12:54 pm
randomization of the designs of those tokens. is it token plus? if you and i were designing a system here and making sure that as we work on the legislation that it has enough openness to grab tomorrow's technology what should we be doing? >> a system designed from scratch would ensure that actual information that can be tied back to you or your account cannot bein intercepted. you would you wouldn't transmit information that could be taken by somebody else and used in the same form. that's the real goal of all the layered security technologies that you see deployed today. it's dynamic and it makes sure that interceptioning information cannot be useful. the real difference between the chip and the magnetic stripe is it generates a unique security code with each interaction. if you tried to create a counter
12:55 pm
chip, you wouldn't know the code for the next transaction so it would be useless to you. designing a system from scratch would make sure that the information was dynamic and couldn't be tied back to anything even if it were intercepted. >> is it a blend of handoff mechanics and a biomechanic? if i'm doing online, an i.p. algorithm behind saying is this an i.p. that matches -- what am i doing to make these things work? >> that's the interesting thing about mobile payments which arot lot of great technology companies are moving to deploy. >> you meet me to our last conversation. as we all move to the mobile pay and sort of catching up with the rest of the world is it technology in my payment systems on this is that my future of transaction security? >> it is a great future of transaction security because what that mobile device has on there is the token that we were
12:56 pm
talking about earlier. >> it could have the tokenization, my biodata with my fingerprint and it obviously has its version of not technically an i.p. but the ability to hand over here's the device that goes with this. >> that's right. the future of technology has all of those elements. as almost as if we have an opportunity thanks to the advances in technology to devise that system from scratch. >> for everyone else on the panel, how do i incentivize that? >> the one point i would make is that jason is absolutely right. the future of payments is in mobile technology and we're going there but we're not there yet. there's 1.2 billion cards circulating in the united states and we need to make sure we're locking that down while we're moving to the next generation. i won't try to wade into the
12:57 pm
deep technological conversation but we believe this has great potential and mobile technology and the inkripgs that is in place today will work for a long time. >> so you devalue the data so that it's useless in the hands of criminals and the three technologies that we've talked about today do exactly that. the point of sale, point to point inkripgs and tokenization. you bundle those correctly and implement it properly, the value is useless. there's no reason to break in and even if you did, you can't use it anywhere else. >> my fear is much of today's conversation was who holds the liability, who pays and my fear at one level that's an absurd conversation to have. we should be having the conversation of how do we build the robust technology so we don't have the problem. >> the good news is it's happening while some of the things you mentioned are a small part of the picture the rate at
12:58 pm
which they're growing is rapid and the adoption rate particularly for young people is high. the future that you're shadowing is unfolding. >> yield back. >> now the gentleman from indiana, the chair of the republican policy committee is recognized for five minutes. >> thank you for being here. i think we're getting close to wrapping up. i wanted to talk a little further about breach notification. i think a couple times you got close to this but i just want to make sure i better understand your position and your organization's position. you stated earlier that you wanted clarity for the business community. i know you support the one-sentence standard that was based on reasonable as found in the energy and commerce committee bill. i think if you look at section four of hr 2205, it has a process that's laid out and frankly is much clearer and more
12:59 pm
scaleable. it's based and modelled off of what banks have been doing for 16 years under graham bliely. can you explain from your perspective why you believe 2205's clarity isn't sufficient. >> the graham leach bliely act and the legislation you're referencing were designed primarily for the financial services industry. it was passed in 2000 and enforced over the last 15 years. what we have argued is you have to look at the regulatory landscape as it is today and look at what's been done to other industries. there's been a substantial body of work done by the federal trade commission in enforcing cyber security expectations of businesses. that's established a decade worth of case law that merchants and businesses all under the authority of the ftc understand what the expectations are. >> am i hearing you say that
1:00 pm
while the energy and commerce bill has a one-sentence standard, you believe that one sentence incorporates the ftc standards? >> i do. any business that would be forced to comply with it and most businesses today are don't look at the sentence that would be in the legislation but they would look at what the body of work is and the requirements. >> so i'm understanding your objection, is your objection to who the regulator would be? you believe under the commerce bill it would be a different regulator? >> we think the way that the energy and commerce bill is structured and how it builds upon the work that's undertaken by the ftc toda

8 Views

info Stream Only

Uploaded by TV Archive on